From: Marco Ivaldi (raptor@0xdeadbeef.info)
Date: Sat Jan 22 2005 - 05:46:03 EST
> Interesting. It wouldn't be hard to make a Perl script (or other) that
> logs into the SMTP server, then runs through a list of predefined users
> to test and see if they have an account. I would call it information
> disclosure for sure.
Hey pen-testers,
I've just released brutus.pl v0.9.2 that implements such an attack and
fixes some minor reliability bugs. Brutus.pl is a simple Perl script for
remote login/password bruteforce cracking. The supported protocols are:
telnet, ftp, and pop3. It's also possible to get a list of valid users
though smtp vrfy/expn, smtp rcpt (new), and cisco login information leak.
This tool is very basic and has no multi-thread support (for real-life
penetration testing you'd better take a look at thc's hydra), but it's
pretty realiable and easily customizable anyway. It can be downloaded at
the following url:
http://www.0xdeadbeef.info/code/brutus.pl
Cheers,
-- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:15 EDT